CVE-2026-31807

MEDIUM NUCLEI

SiYuan <3.5.10 - XSS

Title source: llm

Description

SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) blocks dangerous elements (<script>, <iframe>, <foreignobject>) and removes on* event handlers and javascript: in href attributes. However, it does NOT block SVG animation elements (<animate>, <set>) which can dynamically set attributes to dangerous values at runtime, bypassing the static sanitization. This allows an attacker to inject executable JavaScript into the unauthenticated /api/icon/getDynamicIcon endpoint (type=8), creating a reflected XSS. This is a bypass of the fix for CVE-2026-29183 (fixed in v3.5.9). This vulnerability is fixed in v3.5.10.

Nuclei Templates (1)

SiYuan <= v3.5.9 - SVG Animate Element XSS

MEDIUMVERIFIEDby 0x_Akoko

Shodan: http.favicon.hash:-1450125239

References (1)

[Vendor Advisory] https://github.com/siyuan-note/siyuan/security/advisories/GHSA-5hc8-qmg8-pw27

Scores

CVSS v3 6.1

EPSS 0.0038

EPSS Percentile 59.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

b3log/siyuan < 3.5.10

Published Mar 10, 2026

Tracked Since Mar 11, 2026